Check an IP Address, Domain Name, Subnet, or ASN

212.113.98.30 was found in our database!

$ whois 212.113.98.30

country·🇷🇺 Russia

city·Moscow

isp·Nekobyte International Limited

asn·AS206134

network·Standard

$ sikker risk 212.113.98.30scoring →

confidence

100%Very High

first_seen·Jan 21, 2026

last_seen·31m ago

first_reported·Feb 24, 2026

last_reported·Mar 22, 2026

sessions·5,385

events·16,131

reports·96

$ sikker protocols 212.113.98.30

POSTGRES

2,323 / 12,769 / 96r

DOCKER

3,062 / 3,362

$ sikker summary 212.113.98.30

212.113.98.30 has a threat confidence score of 100%. This IP address from Russia (AS206134, Nekobyte International Limited) has been observed in 5,385 honeypot sessions and reported 96 times targeting POSTGRES, DOCKER protocols. Detected attack patterns include postgres rce with superuser persistence and capability suppression, postgres copy from program rce with superuser persistence, docker remote api container creation sequence. First observed on January 21, 2026, most recently active April 21, 2026.

$ sikker behaviors 212.113.98.30catalog →

very_highPostgres Rce With Superuser Persistence And Capability Suppression9x

Represents an advanced PostgreSQL compromise chain where an attacker achieves OS command execution via COPY ... FROM PROGRAM, establishes persistent administrative access by creating a new superuser role, and then deliberately revokes the pg_execute_server_program privilege from the default postgres role.

highPostgres Copy From Program Rce With Superuser Persistence5x

Represents a full PostgreSQL host compromise chain in which an attacker fingerprints the database server, prepares a temporary table to capture command output, executes arbitrary OS commands via COPY ... FROM PROGRAM (commonly using base64-encoded shell payloads), and subsequently establishes persistence by creating a new PostgreSQL role with LOGIN and SUPERUSER privileges. This behavior indicates successful remote command execution on the database host followed by deliberate persistence inside PostgreSQL, allowing the attacker to retain long-term administrative access even if the initial access vector is closed.

highDocker Remote Api Container Creation Sequence1x

Identifies a coordinated interaction with the Docker Remote API where an actor issues HTTP GET and POST requests culminating in container creation. This pattern is consistent with automated abuse of an exposed Docker daemon (typically unauthenticated on TCP/2375), where the attacker probes the API and then programmatically creates a container for code execution or persistence.

$ sikker primitives 212.113.98.30

docker_post_method1370 docker_get_method685 docker_container_create685 postgres_drop_table_if_exists18 postgres_select_table_contents18 postgres_show_server_version9 postgres_create_superuser_role9 postgres_create_table_cmd_output9 postgres_copy_from_program_command_execution9 postgres_revoke_execute_server_program_privilege9

$ sikker reports 212.113.98.30submit →

Showing 5 of 25 reports (96 total) from 1 contributor

Reporter	Date	Category	Protocol	Comment
User	Mar 22, 2026, 06:11	Brute Force	POSTGRES	SikkerGuard: 2 blocked packets
User	Mar 22, 2026, 06:06	Brute Force	POSTGRES	SikkerGuard: 12 blocked packets
User	Mar 22, 2026, 24:17	Brute Force	POSTGRES	SikkerGuard: 14 blocked packets
User	Mar 21, 2026, 18:14	Brute Force	POSTGRES	SikkerGuard: 14 blocked packets
User	Mar 21, 2026, 24:17	Brute Force	POSTGRES	SikkerGuard: 322 blocked packets

1 / 5

$ sikker related 212.113.98.30

🇷🇺·More threats fromRussia→AS·More threats fromNekobyte International Limited→POST·More threats targetingPOSTGRES→DOCK·More threats targetingDOCKER→{ }·Browse allAttack Patterns→

Report IP WHOIS Lookup →

IP Address	Confidence	Events
2.27.123.58	78%	4
2.27.121.23	48%	3
2.27.123.100	73%	3
2.27.121.105	23%	1
2.27.122.220	64%	1

IP Address	Confidence	Events
81.29.142.100	100%	35,033
185.44.9.140	33%	183
95.215.0.144	100%	13,995
85.239.40.127	23%	1
94.29.124.144	27%	136